Don't Forget Basic Security Measures, Experts Say

Some security leaders argue there is little point in worrying about emerging threats when businesses can't defend against today's attacks.

INTEROP ITX - Las Vegas - New technologies like machine learning, artificial intelligence, and IoT will drive the scale and complexity of cyberattacks. Businesses have every reason to be concerned as the threat landscape continues to grow.

But does it make sense to stress over advanced threats when organizations can't defend against the attacks they currently face?

"A lot of the security threats we face day to day are not fancy, sexy, technologically new stuff," says Anthony Aragues, vice president of product management for Anomali. If these issues were written down, they would be perceived as obvious, but they remain problems.

"We're reminding people -- hey, taking the right steps is important," says Diana Kelley, global executive security advisor for IBM Security. "Threat actors are a lot more motivated than they were 15- to 20 years ago."

Today's users are so dependent on software and connectivity that security disruptions will become increasingly palpable going forward, Kelley says. If an operating system is vulnerable, any business in any industry can be at risk. Hackers don't need to discriminate.

Many organizations, especially small- to midsized businesses, don't really plan their security architecture. In her Interop ITX Cybersecurity Crash Course presentation "Securing Your Enterprise Infrastructure," Dawn-Marie Hutchinson, executive director for the Office of the CISO at Optiv, posed a question to a room packed with IT pros: "Who here has a security strategy?"

Silence. Maybe one hand.

"Every organization right now needs help," she said, noting how attacks are getting easier and cheaper to launch, and more complex to face. "We have more information than we've ever had before, about what's coming after us and how," yet most organizations have immature security strategies.

Attitude is at the root of many security issues organizations face today, Anomali's Aragues explains. It's common for businesses to push security issues to one part of the organization and forget about them. The business often sees security costs as overhead that don't bring value.

"The overall trend that bugs me about security is companies expect it to be handled by the security department," he continues. "We're going to have a problem as long as that's the case."

Last week's WannaCry ransomware attack is a prime example of how businesses aren't putting basic security measures in place. They need to be running only updated operating systems - not older, no longer supported ones like Windows XP - and shut off unnecessary system processes.

"We can blame the Shadow Brokers for leaking NSA vulnerabilities, but there's still the issue of people running old operating systems and leaving open services they don't need to have turned on," he continues.

Individuals and businesses are more connected than ever, but they don't have the security awareness to protect themselves. Organizations can't predict the aftershock of a cyberattack when it hits, explains FireEye CEO Kevin Mandia.

"The vast majority of companies really don't know what happens when you pop off the grid," he says. In his Interop keynote, he emphasized how security hygiene is lacking if a server message block (SMB) exploit can infect more than 200,000 machines, as it did in WannaCry.

Will the latest massive, global cyberattack be a wake-up call? It depends.

The companies who will take action following WannaCry will be those who already have a plan, says Aragues. If they had a strategy in mind and only needed a budget, for example, they can now make some real progress. Those who weren't thinking about security before WannaCry will be playing catch-up and fall behind in all they want to accomplish.

Hutchinson urged tech leaders to build stronger relationships with their business teams. You can't create a business-aligned security strategy with lack of expertise and immature programs, she said.

"The way we used to do things doesn't work anymore," Hutchinson explained. "Think outside the box. The most effective moves aren't always the most natural or comfortable."

Organizations should create three lines of defense in their fight against current cyberattacks and new threats on the horizon. She suggested the following:

Build a highly trained team: Fight for budgets to attend security-focused events, where your team can learn news and information about threat intelligence.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Dawn-Marie Hutchinson notes that information and the frequency of basic attacks is (effectively) the new normal - the skills shortage point mirrors that of a politician growing a police force; no matter how many you deploy to patrol, there will always be holes in the system, as the police are not the system and never will be... the threat can never approach zero.

I'd challenge the assertion that events are useful in this regard, aside from window dressing and networking. Organic skills from employees that are either undisclosed or absent entirely should be the easiest and cheapest port of call for an immediate and proactive response (who knows? Barney in admin may well be a avid dev with his start up on the side...)

Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.

An exploitable vulnerability exists in the verified boot protection of the Das U-Boot from version 2013.07-rc1 to 2014.07-rc2. The affected versions lack proper FIT signature enforcement, which allows an attacker to bypass U-Boot's verified boot and execute an unsigned kernel, embedded in a legacy i...